The atec Debug WordPress plugin fails to validate the value of the 'debug_path' parameter, allowing administrators or higher privileged users to specify any filesystem path. An attacker who can authenticate with an Administrator account can therefore send a request that causes the plugin to delete arbitrary files on the server. If critical files such as wp-config.php are removed, the attacker can assume full control over the site, enabling remote code execution and complete compromise. The weakness stems from insufficient input validation and results in a direct loss of confidentiality, integrity, and availability of the site's files.

WordPress installations running the atec Debug plugin from the vendor docjojo:atec Debug, in any version up to and including 1.2.22. The vulnerability applies only to users with Administrator-level permissions or higher.

The vulnerability is scored with a CVSS of 7.2, indicating a high severity or moderate risk depending on context, and an EPSS of 2%, implying a low likelihood of exploitation. The issue is not currently catalogued in CISA’s KEV list. Exploitation requires attacker access to an account with administrator privileges; once such access is obtained by credential compromise or social engineering, the attack vector is straightforward: a crafted request containing an arbitrary path can delete critical files. The resulting loss of key configuration files can evolve into a full remote code execution scenario.